Secure email gateways were built to spot malicious links, attachments, and known spam patterns. Modern BEC often uses plain text, legitimate domains, and business context, so the email appears clean even when the request is fraudulent. The control gap is in context recognition, not message delivery.
Why This Matters for Security Teams
secure email gateway still do what they were designed to do: filter malware, block suspicious links, and catch known spam patterns. Modern business email compromise slips past those controls because it often looks like a normal conversation, not an attack. That means the failure is not message delivery, but judgment under business context.
This is why NHI Management Group keeps pointing to the broader identity problem behind email abuse in research such as The 52 NHI breaches Report and Ultimate Guide to NHIs — Why NHI Security Matters Now. When an attacker can borrow trust, mimic workflow, or abuse a compromised account, the gateway sees routine business traffic while the organisation sees fraudulent intent only after funds move or data leaves.
Current guidance suggests defenders treat BEC as an identity and process risk, not a mail hygiene problem. In practice, many security teams encounter invoice fraud, payroll diversion, or vendor spoofing only after finance has already validated the request through normal channels.
How It Works in Practice
Modern BEC succeeds because it is engineered to fit existing business behaviour. The attacker may not send a malicious attachment at all. Instead, the message uses a real domain, a clean mailbox, and language that matches an ongoing thread. That defeats the legacy assumption that bad email must contain a bad payload.
Security teams need to add controls that inspect sender identity, transaction context, and workflow anomalies. Human review is not enough on its own, because social proof can be manufactured through compromise of a real account or a lookalike domain. This is where identity-aware controls, stronger verification steps, and out-of-band confirmation matter more than signature-based filtering.
- Use step-up verification for payment changes, bank detail updates, and urgent wire requests.
- Monitor mailbox rules, forwarding changes, and abnormal login patterns for account takeover signals.
- Correlate message timing, sender history, and request type against normal business workflows.
- Apply policy controls at the action layer, not only at the inbox layer.
The challenge is growing as attackers use AI to improve language quality and timing. Anthropic’s report on the first AI-orchestrated cyber espionage campaign shows how automation can support more convincing operational tradecraft, while NHIMG’s DeepSeek breach coverage shows how exposed credentials and sensitive data accelerate misuse once trust is lost. As a result, email security must connect detection to identity, access, and payment controls. These controls tend to break down when legacy mail systems are isolated from finance approvals and identity telemetry because the fraud signal is split across separate teams and tools.
Common Variations and Edge Cases
Tighter verification often increases friction, so organisations have to balance fraud resistance against the speed that finance and procurement teams expect. There is no universal standard for this yet, but current guidance suggests treating higher-risk requests differently from ordinary correspondence.
Some BEC campaigns are crude and still get blocked by domain protection or spam controls. The harder cases are internal compromise, vendor thread hijacking, and executive impersonation, where the sender is legitimate but the request is not. That is where controls must look for behavioural anomalies rather than content alone.
Edge cases also appear when shared mailboxes, executive assistants, or outsourced finance teams are part of the workflow. In those environments, rigid rules can create alert fatigue or delay legitimate payments. The practical answer is risk-tiered approval, strong call-back procedures, and transaction controls that trigger only when the requested action is unusual or high impact.
In short, secure email gateways are necessary but insufficient. They reduce noisy threats, yet modern BEC succeeds by borrowing trust from legitimate business processes, which means the real control boundary sits beyond the inbox.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA | Identity verification is central when fraudulent requests use legitimate mail. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Compromised email accounts behave like abused non-human or service identities. |
| NIST AI RMF | Context-aware detection and governance matter when AI improves attacker tradecraft. |
Use AI RMF governance to review how automation changes fraud detection and approval risk.
Related resources from NHI Mgmt Group
- Why do secure email gateways fail against modern phishing and invoice fraud?
- How should security teams reduce business email compromise risk beyond secure email gateways?
- How should security teams reduce business email compromise without drowning analysts in false positives?
- Why does business email compromise look different in large enterprises?
